DNSSEC Debugger - bogus.d2a1n1.rootcanary.net

Domain Name:

Time: 2025-12-18 00:44:36 UTC

Analyzing DNSSEC problems for bogus.d2a1n1.rootcanary.net

DS=20326/SHA-256 is now in the chain-of-trust

	Checking DS between Trust Anchor and .
	`. IN DS ( 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d )`
	Query to e.root-servers.net for ./DNSKEY
	Received 1139 bytes from 192.203.230.10
	;; Response received from [192.203.230.10] 1139 octets ;; HEADER SECTION ;; id = 16259 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 4 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1472, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; . IN DNSKEY ;; ANSWER SECTION (4 records) . 172800 IN DNSKEY ( 256 3 8 AwEAAeuS7hMRZ7muj1c/ew2DoavxkBw3jUG5R79pKVDI39fxvlD1HfJYGJERnXuV4SrQfUPzWw/l t5Axb0EqXL/sQ2ZyntVmwQwoSXi2l9smlIKh2UrkTmmozRCPe7GS4fZTE4Ew7AV4YprTLgVmxiGP 4unRuXkYOgQJXCIBpVCmEdUli6X2sm0i5ZilU/Q+rX3RDw+eYPP7K0cJnJ+ZnvQDy14+BFtreWl9 enNQljgGpBp26lEp1z7AbvUfzkQNVCVGaM8jEaCSALXiROlwCQMOdj+tpLXFf99kdJnTQw2cpEr1 uGs/yENAJpoGhbjZAoIkXzDUBSlfFeYz7FWzH6gIe7M= ) ; keytag 61809 . 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326 . 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696 . 172800 IN RRSIG ( DNSKEY 8 0 172800 20251231000000 20251210000000 20326 . GtG815YBui59E5sObprF3pDkJhEZQhPIgRdJAGItKoXToXmek0SDpBkg7wsmoM/WWeDNWaYecNTO tz3HTi5ncNHH/vPwBSySDS2AlGCcXDH5gdoh1bIjU98OoT2QfdeujlTr8UqJ60woWwC3HUb2oyeT YSYAargeWYJ4KvNh1vkhcyg9ygR12ohkCC5XhAWucdmuVwnE5Y9qABCStI27yYppoGv36UHakdqW rhdUStla6r0C4f4BudLZX/EkFRlUUhxkwa+XtLfYO2QQxCfuot0Msne9FVEe4HNkFutJw4mGNgQZ yESjt9Q8bGbzCngJgV89HzM02ChJAVofG2ltew== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 3 DNSKEY records for .
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAeuS7hMRZ7muj1c/ew2DoavxkBw3jUG5R79pKVDI39fxvlD1HfJYGJERnXuV4SrQfUPzWw/l t5Axb0EqXL/sQ2ZyntVmwQwoSXi2l9smlIKh2UrkTmmozRCPe7GS4fZTE4Ew7AV4YprTLgVmxiGP 4unRuXkYOgQJXCIBpVCmEdUli6X2sm0i5ZilU/Q+rX3RDw+eYPP7K0cJnJ+ZnvQDy14+BFtreWl9 enNQljgGpBp26lEp1z7AbvUfzkQNVCVGaM8jEaCSALXiROlwCQMOdj+tpLXFf99kdJnTQw2cpEr1 uGs/yENAJpoGhbjZAoIkXzDUBSlfFeYz7FWzH6gIe7M= ) ; keytag 61809`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696`
	DNSKEY=20326/SEP is now in the chain-of-trust
	DS=20326/SHA-256 verifies DNSKEY=20326/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`. 172800 IN RRSIG ( DNSKEY 8 0 172800 20251231000000 20251210000000 20326 . GtG815YBui59E5sObprF3pDkJhEZQhPIgRdJAGItKoXToXmek0SDpBkg7wsmoM/WWeDNWaYecNTO tz3HTi5ncNHH/vPwBSySDS2AlGCcXDH5gdoh1bIjU98OoT2QfdeujlTr8UqJ60woWwC3HUb2oyeT YSYAargeWYJ4KvNh1vkhcyg9ygR12ohkCC5XhAWucdmuVwnE5Y9qABCStI27yYppoGv36UHakdqW rhdUStla6r0C4f4BudLZX/EkFRlUUhxkwa+XtLfYO2QQxCfuot0Msne9FVEe4HNkFutJw4mGNgQZ yESjt9Q8bGbzCngJgV89HzM02ChJAVofG2ltew== )`
	RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
	DNSKEY=61809 is now in the chain-of-trust
	DNSKEY=38696/SEP is now in the chain-of-trust
	Query to m.root-servers.net for bogus.d2a1n1.rootcanary.net/A
	Received 1190 bytes from 202.12.27.33
	;; Response received from [202.12.27.33] 1190 octets ;; HEADER SECTION ;; id = 10741 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 15 arcount = 27 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d2a1n1.rootcanary.net. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (15 records) net. 172800 IN NS j.gtld-servers.net. net. 172800 IN NS d.gtld-servers.net. net. 172800 IN NS m.gtld-servers.net. net. 172800 IN NS a.gtld-servers.net. net. 172800 IN NS b.gtld-servers.net. net. 172800 IN NS l.gtld-servers.net. net. 172800 IN NS c.gtld-servers.net. net. 172800 IN NS e.gtld-servers.net. net. 172800 IN NS h.gtld-servers.net. net. 172800 IN NS f.gtld-servers.net. net. 172800 IN NS g.gtld-servers.net. net. 172800 IN NS i.gtld-servers.net. net. 172800 IN NS k.gtld-servers.net. net. 86400 IN DS ( 37331 13 2 2f0bec2d6f79dfbd1d08fd21a3af92d0e39a4b9ef1e3f4111fff282490da453b ) net. 86400 IN RRSIG ( DS 8 1 86400 20251230220000 20251217210000 61809 . 2oA8qB/9ZrpJe3Sggo0jgSRdVBsy50nyx0cFjdjb3bkJ0SJ2UCgg6Q+YCYBs/ax50tUoQtMr/6K6 EvWaWydsCRiiZPmKkvMffryWvsSVpi+JbjyKA6Bz0fWgdqqNXlcqzC+NtrqoYCEhzvbd+T4XSX7q wo0wQak8PJ+HCg8/J6jgZRQpWdXTM1T2sIXO3jMTWDeOOsntR/ZF9eHc93fFwT1N+4fewL0qu/Ue fo4nAaselXpF6VYVZTFteprUjZtoKIYio/Dx/awhejBlt/zpjMVNC/ENn7H+PA7okc2JLA7V6zjE 1P+UYANw2xVKgssxhR/Wg3EMAOTJs2SqbaKiTg== ) ;; ADDITIONAL SECTION (27 records) m.gtld-servers.net. 172800 IN A 192.55.83.30 l.gtld-servers.net. 172800 IN A 192.41.162.30 k.gtld-servers.net. 172800 IN A 192.52.178.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 g.gtld-servers.net. 172800 IN A 192.42.93.30 f.gtld-servers.net. 172800 IN A 192.35.51.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 c.gtld-servers.net. 172800 IN A 192.26.92.30 b.gtld-servers.net. 172800 IN A 192.33.14.30 a.gtld-servers.net. 172800 IN A 192.5.6.30 m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30 l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30 k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30 j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30 i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30 h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30 g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30 f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30 e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30 d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30 c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30 b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 ;; { "EDNS-VERSION": 0 }
	Query to f.root-servers.net for net/DNSKEY
	Received 1160 bytes from 192.5.5.241
	;; Response received from [192.5.5.241] 1160 octets ;; HEADER SECTION ;; id = 8157 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 15 arcount = 27 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1472, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; net. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (15 records) net. 172800 IN NS a.gtld-servers.net. net. 172800 IN NS b.gtld-servers.net. net. 172800 IN NS c.gtld-servers.net. net. 172800 IN NS d.gtld-servers.net. net. 172800 IN NS e.gtld-servers.net. net. 172800 IN NS f.gtld-servers.net. net. 172800 IN NS g.gtld-servers.net. net. 172800 IN NS h.gtld-servers.net. net. 172800 IN NS i.gtld-servers.net. net. 172800 IN NS j.gtld-servers.net. net. 172800 IN NS k.gtld-servers.net. net. 172800 IN NS l.gtld-servers.net. net. 172800 IN NS m.gtld-servers.net. net. 86400 IN DS ( 37331 13 2 2f0bec2d6f79dfbd1d08fd21a3af92d0e39a4b9ef1e3f4111fff282490da453b ) net. 86400 IN RRSIG ( DS 8 1 86400 20251230220000 20251217210000 61809 . 2oA8qB/9ZrpJe3Sggo0jgSRdVBsy50nyx0cFjdjb3bkJ0SJ2UCgg6Q+YCYBs/ax50tUoQtMr/6K6 EvWaWydsCRiiZPmKkvMffryWvsSVpi+JbjyKA6Bz0fWgdqqNXlcqzC+NtrqoYCEhzvbd+T4XSX7q wo0wQak8PJ+HCg8/J6jgZRQpWdXTM1T2sIXO3jMTWDeOOsntR/ZF9eHc93fFwT1N+4fewL0qu/Ue fo4nAaselXpF6VYVZTFteprUjZtoKIYio/Dx/awhejBlt/zpjMVNC/ENn7H+PA7okc2JLA7V6zjE 1P+UYANw2xVKgssxhR/Wg3EMAOTJs2SqbaKiTg== ) ;; ADDITIONAL SECTION (27 records) a.gtld-servers.net. 172800 IN A 192.5.6.30 a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 b.gtld-servers.net. 172800 IN A 192.33.14.30 b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 c.gtld-servers.net. 172800 IN A 192.26.92.30 c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30 d.gtld-servers.net. 172800 IN A 192.31.80.30 d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30 e.gtld-servers.net. 172800 IN A 192.12.94.30 e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30 f.gtld-servers.net. 172800 IN A 192.35.51.30 f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30 g.gtld-servers.net. 172800 IN A 192.42.93.30 g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30 h.gtld-servers.net. 172800 IN A 192.54.112.30 h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30 i.gtld-servers.net. 172800 IN A 192.43.172.30 i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30 j.gtld-servers.net. 172800 IN A 192.48.79.30 j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30 k.gtld-servers.net. 172800 IN A 192.52.178.30 k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30 l.gtld-servers.net. 172800 IN A 192.41.162.30 l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30 m.gtld-servers.net. 172800 IN A 192.55.83.30 m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30 ;; { "EDNS-VERSION": 0 }
	Found child zone net

net

	Checking DS between . and net
	Query to m.root-servers.net for net/DS
	Received 367 bytes from 202.12.27.33
	;; Response received from [202.12.27.33] 367 octets ;; HEADER SECTION ;; id = 1034 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; net. IN DS ;; ANSWER SECTION (2 records) net. 86400 IN DS ( 37331 13 2 2f0bec2d6f79dfbd1d08fd21a3af92d0e39a4b9ef1e3f4111fff282490da453b ) net. 86400 IN RRSIG ( DS 8 1 86400 20251230220000 20251217210000 61809 . 2oA8qB/9ZrpJe3Sggo0jgSRdVBsy50nyx0cFjdjb3bkJ0SJ2UCgg6Q+YCYBs/ax50tUoQtMr/6K6 EvWaWydsCRiiZPmKkvMffryWvsSVpi+JbjyKA6Bz0fWgdqqNXlcqzC+NtrqoYCEhzvbd+T4XSX7q wo0wQak8PJ+HCg8/J6jgZRQpWdXTM1T2sIXO3jMTWDeOOsntR/ZF9eHc93fFwT1N+4fewL0qu/Ue fo4nAaselXpF6VYVZTFteprUjZtoKIYio/Dx/awhejBlt/zpjMVNC/ENn7H+PA7okc2JLA7V6zjE 1P+UYANw2xVKgssxhR/Wg3EMAOTJs2SqbaKiTg== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for net in the . zone
	DS=37331/SHA-256 has algorithm ECDSAP256SHA256
	Found 1 RRSIGs over DS RRset
	`net. 86400 IN RRSIG ( DS 8 1 86400 20251230220000 20251217210000 61809 . 2oA8qB/9ZrpJe3Sggo0jgSRdVBsy50nyx0cFjdjb3bkJ0SJ2UCgg6Q+YCYBs/ax50tUoQtMr/6K6 EvWaWydsCRiiZPmKkvMffryWvsSVpi+JbjyKA6Bz0fWgdqqNXlcqzC+NtrqoYCEhzvbd+T4XSX7q wo0wQak8PJ+HCg8/J6jgZRQpWdXTM1T2sIXO3jMTWDeOOsntR/ZF9eHc93fFwT1N+4fewL0qu/Ue fo4nAaselXpF6VYVZTFteprUjZtoKIYio/Dx/awhejBlt/zpjMVNC/ENn7H+PA7okc2JLA7V6zjE 1P+UYANw2xVKgssxhR/Wg3EMAOTJs2SqbaKiTg== )`
	RRSIG=61809 and DNSKEY=61809 verifies the DS RRset
	DS=37331/SHA-256 is now in the chain-of-trust
	`net. 86400 IN DS ( 37331 13 2 2f0bec2d6f79dfbd1d08fd21a3af92d0e39a4b9ef1e3f4111fff282490da453b )`
	Query to l.gtld-servers.net for net/DNSKEY
	Received 291 bytes from 192.41.162.30
	;; Response received from [192.41.162.30] 291 octets ;; HEADER SECTION ;; id = 62322 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; net. IN DNSKEY ;; ANSWER SECTION (3 records) net. 86400 IN DNSKEY ( 257 3 13 HiBoGpzDRAgrDmUXXTSnl7jCX6Hx5bzkU2jSxMbVI01yS+13EyOghnCidBXU0bH2gi2w9GhYGacp U6CrtwoFNg== ) ; keytag 37331 net. 86400 IN DNSKEY ( 256 3 13 n1/xo9dFf3KM3jYGnOXOzhVK5LsgTqM4BnTeyBLml4GNNYgs/Wmr3YA8pvodMthc1wD4nH7wL5vY Tag4cROQJg== ) ; keytag 17133 net. 86400 IN RRSIG ( DNSKEY 13 1 86400 20251223151035 20251208150535 37331 net. ehjbbcDeGgGYo9yEYCeDBoknioZm0+Dx4BznWkjdqONADkj8F6UW1OqWhN1gWHkl7asUNETCtw24 6Nt3mHiz2w== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for net
	`net. 86400 IN DNSKEY ( 257 3 13 HiBoGpzDRAgrDmUXXTSnl7jCX6Hx5bzkU2jSxMbVI01yS+13EyOghnCidBXU0bH2gi2w9GhYGacp U6CrtwoFNg== ) ; keytag 37331`
	`net. 86400 IN DNSKEY ( 256 3 13 n1/xo9dFf3KM3jYGnOXOzhVK5LsgTqM4BnTeyBLml4GNNYgs/Wmr3YA8pvodMthc1wD4nH7wL5vY Tag4cROQJg== ) ; keytag 17133`
	DNSKEY=37331/SEP is now in the chain-of-trust
	DS=37331/SHA-256 verifies DNSKEY=37331/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`net. 86400 IN RRSIG ( DNSKEY 13 1 86400 20251223151035 20251208150535 37331 net. ehjbbcDeGgGYo9yEYCeDBoknioZm0+Dx4BznWkjdqONADkj8F6UW1OqWhN1gWHkl7asUNETCtw24 6Nt3mHiz2w== )`
	RRSIG=37331 and DNSKEY=37331/SEP verifies the DNSKEY RRset
	DNSKEY=17133 is now in the chain-of-trust
	Query to k.gtld-servers.net for bogus.d2a1n1.rootcanary.net/A
	Received 551 bytes from 192.52.178.30
	;; Response received from [192.52.178.30] 551 octets ;; HEADER SECTION ;; id = 29782 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 8 arcount = 3 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d2a1n1.rootcanary.net. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (8 records) rootcanary.net. 172800 IN NS ns1.surfnet.nl. rootcanary.net. 172800 IN NS ns2.surfnet.nl. rootcanary.net. 172800 IN NS ns3.surfnet.nl. rootcanary.net. 172800 IN NS ns1.zurich.surf.net. A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 900 IN NSEC3 ( 1 1 0 - a1rtlnpgulogn7b9a62shje1u3ttp8dr NS SOA RRSIG DNSKEY NSEC3PARAM ) A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 900 IN RRSIG ( NSEC3 13 2 900 20251221045838 20251214034838 17133 net. tyx1ardwg052NnF2ZMPXbiklorLADOlyZW/p+RO9J1vuy2OnASLXSaYnfgclbnb6FSuM3tBovB7u CIfCxzt2iw== ) CQ5HTP0ME4P4MO7NNICV2270QIRKGH9T.net. 900 IN NSEC3 ( 1 1 0 - cq5j9mfqo7euvgh7flggm8tfo3fdsn4g NS DS RRSIG ) CQ5HTP0ME4P4MO7NNICV2270QIRKGH9T.net. 900 IN RRSIG ( NSEC3 13 2 900 20251224055608 20251217044608 17133 net. dpfTSffWlNT3HzHleW0CDYdzRC05cTYovM9wOlVz8r32fl5IHO/YeNPIEBJvYPTo8a63Pbu+OcZu jN7DOsSDxA== ) ;; ADDITIONAL SECTION (3 records) ns1.zurich.surf.net. 172800 IN A 195.176.255.9 ns1.zurich.surf.net. 172800 IN AAAA 2001:620:0:9::1103 ;; { "EDNS-VERSION": 0 }
	Query to b.gtld-servers.net for rootcanary.net/DNSKEY
	Received 538 bytes from 192.33.14.30
	;; Response received from [192.33.14.30] 538 octets ;; HEADER SECTION ;; id = 54674 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 8 arcount = 3 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; rootcanary.net. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (8 records) rootcanary.net. 172800 IN NS ns1.surfnet.nl. rootcanary.net. 172800 IN NS ns2.surfnet.nl. rootcanary.net. 172800 IN NS ns3.surfnet.nl. rootcanary.net. 172800 IN NS ns1.zurich.surf.net. A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 900 IN NSEC3 ( 1 1 0 - a1rtlnpgulogn7b9a62shje1u3ttp8dr NS SOA RRSIG DNSKEY NSEC3PARAM ) A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 900 IN RRSIG ( NSEC3 13 2 900 20251221045838 20251214034838 17133 net. tyx1ardwg052NnF2ZMPXbiklorLADOlyZW/p+RO9J1vuy2OnASLXSaYnfgclbnb6FSuM3tBovB7u CIfCxzt2iw== ) CQ5HTP0ME4P4MO7NNICV2270QIRKGH9T.net. 900 IN NSEC3 ( 1 1 0 - cq5j9mfqo7euvgh7flggm8tfo3fdsn4g NS DS RRSIG ) CQ5HTP0ME4P4MO7NNICV2270QIRKGH9T.net. 900 IN RRSIG ( NSEC3 13 2 900 20251224055608 20251217044608 17133 net. dpfTSffWlNT3HzHleW0CDYdzRC05cTYovM9wOlVz8r32fl5IHO/YeNPIEBJvYPTo8a63Pbu+OcZu jN7DOsSDxA== ) ;; ADDITIONAL SECTION (3 records) ns1.zurich.surf.net. 172800 IN A 195.176.255.9 ns1.zurich.surf.net. 172800 IN AAAA 2001:620:0:9::1103 ;; { "EDNS-VERSION": 0 }
	Found child zone rootcanary.net

rootcanary.net

	Checking DS between net and rootcanary.net
	Query to f.gtld-servers.net for rootcanary.net/DS
	Received 572 bytes from 192.35.51.30
	;; Response received from [192.35.51.30] 572 octets ;; HEADER SECTION ;; id = 25397 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; rootcanary.net. IN DS ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 900 IN NSEC3 ( 1 1 0 - a1rtlnpgulogn7b9a62shje1u3ttp8dr NS SOA RRSIG DNSKEY NSEC3PARAM ) A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 900 IN RRSIG ( NSEC3 13 2 900 20251221045838 20251214034838 17133 net. tyx1ardwg052NnF2ZMPXbiklorLADOlyZW/p+RO9J1vuy2OnASLXSaYnfgclbnb6FSuM3tBovB7u CIfCxzt2iw== ) net. 900 IN SOA ( a.gtld-servers.net. nstld.verisign-grs.com. 1766018649 ;serial 1800 ;refresh 900 ;retry 604800 ;expire 900 ;minimum ) net. 900 IN RRSIG ( SOA 13 1 900 20251225004409 20251217233409 17133 net. 7JUfoxEDv/I07NlKAPRzpAkPkaSNvOsQjTYZ6mXx5s7M7SVC/+kCiCTiZCYfLkZ6DiBM8oqymxSB hOoU086ZmA== ) CQ5HTP0ME4P4MO7NNICV2270QIRKGH9T.net. 900 IN NSEC3 ( 1 1 0 - cq5j9mfqo7euvgh7flggm8tfo3fdsn4g NS DS RRSIG ) CQ5HTP0ME4P4MO7NNICV2270QIRKGH9T.net. 900 IN RRSIG ( NSEC3 13 2 900 20251224055608 20251217044608 17133 net. dpfTSffWlNT3HzHleW0CDYdzRC05cTYovM9wOlVz8r32fl5IHO/YeNPIEBJvYPTo8a63Pbu+OcZu jN7DOsSDxA== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	No DS records found for rootcanary.net in the net zone
	Query to ns3.surfnet.nl for rootcanary.net/DNSKEY
	Received 513 bytes from 195.169.124.71
	;; Response received from [195.169.124.71] 513 octets ;; HEADER SECTION ;; id = 4881 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; rootcanary.net. IN DNSKEY ;; ANSWER SECTION (3 records) rootcanary.net. 60 IN DNSKEY ( 257 3 8 AwEAAdDk0xPx74/+J4BFAtodd6j2yTDoX9D+paSjzxVl+jMQmrsrQprdBxX3fale9f62j4oo7scf U+wabBXl56lehbw/wds6oVqDNun9ORQisXhIq9H+u3a9WtTAF+OQyPoSirRLYdNR7+wWvb88L27w 88+jL0gkFb8klGzr03EFrq6r ) ; keytag 64786 rootcanary.net. 60 IN DNSKEY ( 256 3 8 AwEAAbTt2EpLNxL2BJh6zgrhiEBK1sfxYPvEQgQkM1O53+lnT+c8W+9lYMhI1m2mLwecKvq7ePok 5d1XO11UKUXV5pRD9d66qXLwDxMJ4krEMlOvmMS/HWskybkREtMdPdcv5eNdtuT8VeCPTGZuoNe2 oEK4NFSUU5eG0pkWo27Kl3oV ) ; keytag 25188 rootcanary.net. 60 IN RRSIG ( DNSKEY 8 2 60 20260131073701 20251216073701 64786 rootcanary.net. MDf7uWNkRkq57UhwFnOCIK6ROJsi0G1USTA8VVT6ivNndVjkI/GHPJotRk9VGlBca4fTa7CuiXQb 6D3btblm/qnLiOBGZX22p0RvZSjRSwOq5+SP1cQlXNwnp4DLdyl2Gmeu1Y5WglU0HRfAde20/G75 CQU2rKT2PNPl/c2fgN0= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for rootcanary.net
	`rootcanary.net. 60 IN DNSKEY ( 257 3 8 AwEAAdDk0xPx74/+J4BFAtodd6j2yTDoX9D+paSjzxVl+jMQmrsrQprdBxX3fale9f62j4oo7scf U+wabBXl56lehbw/wds6oVqDNun9ORQisXhIq9H+u3a9WtTAF+OQyPoSirRLYdNR7+wWvb88L27w 88+jL0gkFb8klGzr03EFrq6r ) ; keytag 64786`
	`rootcanary.net. 60 IN DNSKEY ( 256 3 8 AwEAAbTt2EpLNxL2BJh6zgrhiEBK1sfxYPvEQgQkM1O53+lnT+c8W+9lYMhI1m2mLwecKvq7ePok 5d1XO11UKUXV5pRD9d66qXLwDxMJ4krEMlOvmMS/HWskybkREtMdPdcv5eNdtuT8VeCPTGZuoNe2 oEK4NFSUU5eG0pkWo27Kl3oV ) ; keytag 25188`
	Found 1 RRSIGs over DNSKEY RRset
	`rootcanary.net. 60 IN RRSIG ( DNSKEY 8 2 60 20260131073701 20251216073701 64786 rootcanary.net. MDf7uWNkRkq57UhwFnOCIK6ROJsi0G1USTA8VVT6ivNndVjkI/GHPJotRk9VGlBca4fTa7CuiXQb 6D3btblm/qnLiOBGZX22p0RvZSjRSwOq5+SP1cQlXNwnp4DLdyl2Gmeu1Y5WglU0HRfAde20/G75 CQU2rKT2PNPl/c2fgN0= )`
	RRSIG=64786 and DNSKEY=64786/SEP verifies the DNSKEY RRset
	Query to ns2.surfnet.nl for bogus.d2a1n1.rootcanary.net/A
	Received 253 bytes from 192.87.36.2
	;; Response received from [192.87.36.2] 253 octets ;; HEADER SECTION ;; id = 65445 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d2a1n1.rootcanary.net. IN A ;; ANSWER SECTION (2 records) bogus.d2a1n1.rootcanary.net. 60 IN A 145.97.20.20 bogus.d2a1n1.rootcanary.net. 60 IN RRSIG ( A 1 4 60 20260131073701 20251216073701 11102 d2a1n1.rootcanary.net. Iyj38Js0u2v8vSay4A/vGp/zjV7r4BLl6pZKCL3F5s3IlsnRtshG+37mNfItjNA365+uQn01ZCgt 6AarznEX4R5Dd+pEx+ZCLTA2yFLMNJKrSBwI4d6rQ5xinIDKgrWuwwfzz/YG3YLlPg5i5y1v04lQ bF+FQWuJVdlVnm6syNg= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	ns2.surfnet.nl is authoritative for bogus.d2a1n1.rootcanary.net
	Query to ns3.surfnet.nl for d2a1n1.rootcanary.net/DNSKEY
	Received 379 bytes from 195.169.124.71
	;; Response received from [195.169.124.71] 379 octets ;; HEADER SECTION ;; id = 56107 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; d2a1n1.rootcanary.net. IN DNSKEY ;; ANSWER SECTION (2 records) d2a1n1.rootcanary.net. 60 IN DNSKEY ( 257 3 1 AwEAAdXdLh4S/z+hiYnykt3tRC2jUcdhRto7PbSxyz20iS+WSJrPCVM6KyeCRYO3/2RxOruwD02M /WO3b1bUgnj+XhTn+oAxV2pZPxulTVmqmuQccE+2FocU83c7VQYje+Q2i2AW95YTPD7AEMLreC3x 8A7aRFVxwXXwvkjmaNu0K14x ) ; keytag 11102 d2a1n1.rootcanary.net. 60 IN RRSIG ( DNSKEY 1 3 60 20260131073701 20251216073701 11102 d2a1n1.rootcanary.net. D2G4BA1U0q3LLGjVhngn0yDM8pknQgVYVKVRb46NAt7xBs/HdWcCclb23L1VeIrS3WLszsqBv6T+ cQrQdFJE4UMX0Yv6hft/jhBzIv5qQqnKN50TNx4Fre0AtM026qS6YJw+oInBwmMOuk4Y5sdJfb+K 7HI8dn9mw3iJprSiKMI= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found child zone d2a1n1.rootcanary.net
	Attempting to learn nameservers for d2a1n1.rootcanary.net
	Query to ns2.surfnet.nl for d2a1n1.rootcanary.net/NS
	Received 279 bytes from 192.87.36.2
	;; Response received from [192.87.36.2] 279 octets ;; HEADER SECTION ;; id = 22543 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; d2a1n1.rootcanary.net. IN NS ;; ANSWER SECTION (3 records) d2a1n1.rootcanary.net. 60 IN NS sec1.rcode0.net. d2a1n1.rootcanary.net. 60 IN NS sec2.rcode0.net. d2a1n1.rootcanary.net. 60 IN RRSIG ( NS 1 3 60 20260131073701 20251216073701 11102 d2a1n1.rootcanary.net. WnxFQ0sCQ7o8rdua6MYEC/GF9bF8NGsvZ6F5L9E4qZgFS3tEdWkNFx9+nmlwQbWegDblZEEVH1NY GsGLL7VR4AwlOeY/fG4lFFrndPU2mxp2HKgfOGMAXA/wHnIQBKuAZym3o+ZO3wIoFaYN8ntyJX5Y nwKnUwKlr1xXzZzVna8= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found d2a1n1.rootcanary.net nameservers: sec1.rcode0.net, sec2.rcode0.net

d2a1n1.rootcanary.net

	Checking DS between rootcanary.net and d2a1n1.rootcanary.net
	Query to ns1.zurich.surf.net for d2a1n1.rootcanary.net/DS
	Received 272 bytes from 195.176.255.9
	;; Response received from [195.176.255.9] 272 octets ;; HEADER SECTION ;; id = 51616 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; d2a1n1.rootcanary.net. IN DS ;; ANSWER SECTION (2 records) d2a1n1.rootcanary.net. 60 IN DS ( 11102 1 2 61a8b809ca2e35b9a082a9998c2b33cb1657b1151d65bdb92805592b181c9382 ) d2a1n1.rootcanary.net. 60 IN RRSIG ( DS 8 3 60 20260131073701 20251216073701 25188 rootcanary.net. DRJPGuk4YayTj+HgYX5foTVvkWpIQxv/nlM6c1kc/qfsb0bEG2Fcv47ry7CHc7gkH8ds2zG8Hwmc nsJ91tjCGKxoOvv/lBVgnATlu2ygMqD8+osUmeiK4lilxhN+EspHATk2klCIgXS9txg5ERm9DWF0 cm8G4YObvsFS1873oZM= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for d2a1n1.rootcanary.net in the rootcanary.net zone
	DS=11102/SHA-256 has algorithm RSAMD5
	Found 1 RRSIGs over DS RRset
	`d2a1n1.rootcanary.net. 60 IN RRSIG ( DS 8 3 60 20260131073701 20251216073701 25188 rootcanary.net. DRJPGuk4YayTj+HgYX5foTVvkWpIQxv/nlM6c1kc/qfsb0bEG2Fcv47ry7CHc7gkH8ds2zG8Hwmc nsJ91tjCGKxoOvv/lBVgnATlu2ygMqD8+osUmeiK4lilxhN+EspHATk2klCIgXS9txg5ERm9DWF0 cm8G4YObvsFS1873oZM= )`
	RRSIG=25188 and DNSKEY=25188 verifies the DS RRset
	`d2a1n1.rootcanary.net. 60 IN DS ( 11102 1 2 61a8b809ca2e35b9a082a9998c2b33cb1657b1151d65bdb92805592b181c9382 )`
	Query to sec2.rcode0.net for d2a1n1.rootcanary.net/DNSKEY
	Received 379 bytes from 176.97.158.100
	;; Response received from [176.97.158.100] 379 octets ;; HEADER SECTION ;; id = 45366 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; d2a1n1.rootcanary.net. IN DNSKEY ;; ANSWER SECTION (2 records) d2a1n1.rootcanary.net. 60 IN RRSIG ( DNSKEY 1 3 60 20260131073701 20251216073701 11102 d2a1n1.rootcanary.net. D2G4BA1U0q3LLGjVhngn0yDM8pknQgVYVKVRb46NAt7xBs/HdWcCclb23L1VeIrS3WLszsqBv6T+ cQrQdFJE4UMX0Yv6hft/jhBzIv5qQqnKN50TNx4Fre0AtM026qS6YJw+oInBwmMOuk4Y5sdJfb+K 7HI8dn9mw3iJprSiKMI= ) d2a1n1.rootcanary.net. 60 IN DNSKEY ( 257 3 1 AwEAAdXdLh4S/z+hiYnykt3tRC2jUcdhRto7PbSxyz20iS+WSJrPCVM6KyeCRYO3/2RxOruwD02M /WO3b1bUgnj+XhTn+oAxV2pZPxulTVmqmuQccE+2FocU83c7VQYje+Q2i2AW95YTPD7AEMLreC3x 8A7aRFVxwXXwvkjmaNu0K14x ) ; keytag 11102 ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DNSKEY records for d2a1n1.rootcanary.net
	`d2a1n1.rootcanary.net. 60 IN DNSKEY ( 257 3 1 AwEAAdXdLh4S/z+hiYnykt3tRC2jUcdhRto7PbSxyz20iS+WSJrPCVM6KyeCRYO3/2RxOruwD02M /WO3b1bUgnj+XhTn+oAxV2pZPxulTVmqmuQccE+2FocU83c7VQYje+Q2i2AW95YTPD7AEMLreC3x 8A7aRFVxwXXwvkjmaNu0K14x ) ; keytag 11102`
	DS=11102/SHA-256 verifies DNSKEY=11102/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`d2a1n1.rootcanary.net. 60 IN RRSIG ( DNSKEY 1 3 60 20260131073701 20251216073701 11102 d2a1n1.rootcanary.net. D2G4BA1U0q3LLGjVhngn0yDM8pknQgVYVKVRb46NAt7xBs/HdWcCclb23L1VeIrS3WLszsqBv6T+ cQrQdFJE4UMX0Yv6hft/jhBzIv5qQqnKN50TNx4Fre0AtM026qS6YJw+oInBwmMOuk4Y5sdJfb+K 7HI8dn9mw3iJprSiKMI= )`
	RRSIG=11102 and DNSKEY=11102/SEP verifies the DNSKEY RRset
	Query to sec1.rcode0.net for bogus.d2a1n1.rootcanary.net/A
	Received 253 bytes from 192.174.68.100
	;; Response received from [192.174.68.100] 253 octets ;; HEADER SECTION ;; id = 53235 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d2a1n1.rootcanary.net. IN A ;; ANSWER SECTION (2 records) bogus.d2a1n1.rootcanary.net. 60 IN A 145.97.20.20 bogus.d2a1n1.rootcanary.net. 60 IN RRSIG ( A 1 4 60 20260131073701 20251216073701 11102 d2a1n1.rootcanary.net. Iyj38Js0u2v8vSay4A/vGp/zjV7r4BLl6pZKCL3F5s3IlsnRtshG+37mNfItjNA365+uQn01ZCgt 6AarznEX4R5Dd+pEx+ZCLTA2yFLMNJKrSBwI4d6rQ5xinIDKgrWuwwfzz/YG3YLlPg5i5y1v04lQ bF+FQWuJVdlVnm6syNg= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	sec1.rcode0.net is authoritative for bogus.d2a1n1.rootcanary.net
	Query to sec1.rcode0.net for bogus.d2a1n1.rootcanary.net/DNSKEY
	Received 530 bytes from 192.174.68.100
	;; Response received from [192.174.68.100] 530 octets ;; HEADER SECTION ;; id = 14926 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d2a1n1.rootcanary.net. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) d2a1n1.rootcanary.net. 60 IN SOA ( ns1.surfnet.nl. dns-beheer.surfnet.nl. 2025121706 ;serial 10800 ;refresh 3600 ;retry 604800 ;expire 86400 ;minimum ) d2a1n1.rootcanary.net. 60 IN RRSIG ( SOA 1 3 60 20260131073701 20251216073701 11102 d2a1n1.rootcanary.net. JiPof19VyE6ydGrDu5PUEUdjRl0BIy0llZw27FtfRpWeEUqKY5dWiGUx8jRBFw9RxxC4oKfNlvad UyEinibu04PdHkDXU/+fYro1WJ+Vf/vPc7xkHKDUEOArWG8X/GBnOT6XdmvTEHOeyO88dSh3tmKN rsiQ1uclEtzI9Yvlbi0= ) bogus.d2a1n1.rootcanary.net. 60 IN NSEC ( *.bogus.d2a1n1.rootcanary.net. A AAAA RRSIG NSEC ) bogus.d2a1n1.rootcanary.net. 60 IN RRSIG ( NSEC 1 4 86400 20260131073701 20251216073701 11102 d2a1n1.rootcanary.net. a56hvxjPlAqODFbSj6MSscObvl2Ni0k+jDTHTRnwVyUKpIhjN8i1kOVb1evW8KCr2+YT8EM2/f1t YuCUAmsP2jSeiI9JuLcwBgyJj6a9FN/qxfyTJpSjlaNHG/Lrf99gSdtuG87JuwVibJow7BaZSIhB c70VnaocKGnN8BHYW8o= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found RRSIG signed by d2a1n1.rootcanary.net zone
	Query to sec2.rcode0.net for d2a1n1.rootcanary.net/SOA
	Received 292 bytes from 176.97.158.100
	;; Response received from [176.97.158.100] 292 octets ;; HEADER SECTION ;; id = 2144 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; d2a1n1.rootcanary.net. IN SOA ;; ANSWER SECTION (2 records) d2a1n1.rootcanary.net. 60 IN SOA ( ns1.surfnet.nl. dns-beheer.surfnet.nl. 2025121706 ;serial 10800 ;refresh 3600 ;retry 604800 ;expire 86400 ;minimum ) d2a1n1.rootcanary.net. 60 IN RRSIG ( SOA 1 3 60 20260131073701 20251216073701 11102 d2a1n1.rootcanary.net. JiPof19VyE6ydGrDu5PUEUdjRl0BIy0llZw27FtfRpWeEUqKY5dWiGUx8jRBFw9RxxC4oKfNlvad UyEinibu04PdHkDXU/+fYro1WJ+Vf/vPc7xkHKDUEOArWG8X/GBnOT6XdmvTEHOeyO88dSh3tmKN rsiQ1uclEtzI9Yvlbi0= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to sec1.rcode0.net for bogus.d2a1n1.rootcanary.net/A
	Received 253 bytes from 192.174.68.100
	;; Response received from [192.174.68.100] 253 octets ;; HEADER SECTION ;; id = 5500 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d2a1n1.rootcanary.net. IN A ;; ANSWER SECTION (2 records) bogus.d2a1n1.rootcanary.net. 60 IN A 145.97.20.20 bogus.d2a1n1.rootcanary.net. 60 IN RRSIG ( A 1 4 60 20260131073701 20251216073701 11102 d2a1n1.rootcanary.net. Iyj38Js0u2v8vSay4A/vGp/zjV7r4BLl6pZKCL3F5s3IlsnRtshG+37mNfItjNA365+uQn01ZCgt 6AarznEX4R5Dd+pEx+ZCLTA2yFLMNJKrSBwI4d6rQ5xinIDKgrWuwwfzz/YG3YLlPg5i5y1v04lQ bF+FQWuJVdlVnm6syNg= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	bogus.d2a1n1.rootcanary.net A RR has value 145.97.20.20
	Found 1 RRSIGs over A RRset
	`bogus.d2a1n1.rootcanary.net. 60 IN RRSIG ( A 1 4 60 20260131073701 20251216073701 11102 d2a1n1.rootcanary.net. Iyj38Js0u2v8vSay4A/vGp/zjV7r4BLl6pZKCL3F5s3IlsnRtshG+37mNfItjNA365+uQn01ZCgt 6AarznEX4R5Dd+pEx+ZCLTA2yFLMNJKrSBwI4d6rQ5xinIDKgrWuwwfzz/YG3YLlPg5i5y1v04lQ bF+FQWuJVdlVnm6syNg= )`
	RRSIG=11102 and DNSKEY=11102/SEP does not verify the A RRset (signature verification failed)
	None of the 1 RRSIG and 1 DNSKEY records validate the A RRset

d2a1n1.rootcanary.net

	Query to sec2.rcode0.net for bogus.d2a1n1.rootcanary.net/A
	Received 253 bytes from 176.97.158.100
	;; Response received from [176.97.158.100] 253 octets ;; HEADER SECTION ;; id = 5301 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d2a1n1.rootcanary.net. IN A ;; ANSWER SECTION (2 records) bogus.d2a1n1.rootcanary.net. 60 IN RRSIG ( A 1 4 60 20260131073701 20251216073701 11102 d2a1n1.rootcanary.net. Iyj38Js0u2v8vSay4A/vGp/zjV7r4BLl6pZKCL3F5s3IlsnRtshG+37mNfItjNA365+uQn01ZCgt 6AarznEX4R5Dd+pEx+ZCLTA2yFLMNJKrSBwI4d6rQ5xinIDKgrWuwwfzz/YG3YLlPg5i5y1v04lQ bF+FQWuJVdlVnm6syNg= ) bogus.d2a1n1.rootcanary.net. 60 IN A 145.97.20.20 ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	sec2.rcode0.net is authoritative for bogus.d2a1n1.rootcanary.net
	Query to sec2.rcode0.net for bogus.d2a1n1.rootcanary.net/DNSKEY
	Received 530 bytes from 176.97.158.100
	;; Response received from [176.97.158.100] 530 octets ;; HEADER SECTION ;; id = 56239 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d2a1n1.rootcanary.net. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) d2a1n1.rootcanary.net. 60 IN SOA ( ns1.surfnet.nl. dns-beheer.surfnet.nl. 2025121706 ;serial 10800 ;refresh 3600 ;retry 604800 ;expire 86400 ;minimum ) d2a1n1.rootcanary.net. 60 IN RRSIG ( SOA 1 3 60 20260131073701 20251216073701 11102 d2a1n1.rootcanary.net. JiPof19VyE6ydGrDu5PUEUdjRl0BIy0llZw27FtfRpWeEUqKY5dWiGUx8jRBFw9RxxC4oKfNlvad UyEinibu04PdHkDXU/+fYro1WJ+Vf/vPc7xkHKDUEOArWG8X/GBnOT6XdmvTEHOeyO88dSh3tmKN rsiQ1uclEtzI9Yvlbi0= ) bogus.d2a1n1.rootcanary.net. 60 IN NSEC ( *.bogus.d2a1n1.rootcanary.net. A AAAA RRSIG NSEC ) bogus.d2a1n1.rootcanary.net. 60 IN RRSIG ( NSEC 1 4 86400 20260131073701 20251216073701 11102 d2a1n1.rootcanary.net. a56hvxjPlAqODFbSj6MSscObvl2Ni0k+jDTHTRnwVyUKpIhjN8i1kOVb1evW8KCr2+YT8EM2/f1t YuCUAmsP2jSeiI9JuLcwBgyJj6a9FN/qxfyTJpSjlaNHG/Lrf99gSdtuG87JuwVibJow7BaZSIhB c70VnaocKGnN8BHYW8o= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found RRSIG signed by d2a1n1.rootcanary.net zone
	Query to sec2.rcode0.net for bogus.d2a1n1.rootcanary.net/A
	Received 253 bytes from 176.97.158.100
	;; Response received from [176.97.158.100] 253 octets ;; HEADER SECTION ;; id = 58164 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d2a1n1.rootcanary.net. IN A ;; ANSWER SECTION (2 records) bogus.d2a1n1.rootcanary.net. 60 IN RRSIG ( A 1 4 60 20260131073701 20251216073701 11102 d2a1n1.rootcanary.net. Iyj38Js0u2v8vSay4A/vGp/zjV7r4BLl6pZKCL3F5s3IlsnRtshG+37mNfItjNA365+uQn01ZCgt 6AarznEX4R5Dd+pEx+ZCLTA2yFLMNJKrSBwI4d6rQ5xinIDKgrWuwwfzz/YG3YLlPg5i5y1v04lQ bF+FQWuJVdlVnm6syNg= ) bogus.d2a1n1.rootcanary.net. 60 IN A 145.97.20.20 ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	bogus.d2a1n1.rootcanary.net A RR has value 145.97.20.20
	Found 1 RRSIGs over A RRset
	`bogus.d2a1n1.rootcanary.net. 60 IN RRSIG ( A 1 4 60 20260131073701 20251216073701 11102 d2a1n1.rootcanary.net. Iyj38Js0u2v8vSay4A/vGp/zjV7r4BLl6pZKCL3F5s3IlsnRtshG+37mNfItjNA365+uQn01ZCgt 6AarznEX4R5Dd+pEx+ZCLTA2yFLMNJKrSBwI4d6rQ5xinIDKgrWuwwfzz/YG3YLlPg5i5y1v04lQ bF+FQWuJVdlVnm6syNg= )`
	RRSIG=11102 and DNSKEY=11102/SEP does not verify the A RRset (signature verification failed)
	None of the 1 RRSIG and 1 DNSKEY records validate the A RRset

Move your mouse over any or symbols for remediation hints.

Want a second opinion? Test bogus.d2a1n1.rootcanary.net at dnsviz.net.

DNSSEC Debugger

↓ Advanced options ↑ Advanced options

Trust Anchor:
Name Servers: